DDOS, Botnets and Worms…Oh My!

The recent attack on the Serious Organized Crime Agency (SOCA), most likely in response to the 36 data selling sites shut down a few weeks ago, lead to the admission by high ranking SOCA officials that the Ministry of Defense networks need to “beef up their security.” In response to this we would like to present solutions for protecting networks and systems from external attacks such as what happened with the MoD. In addition, we will provide a quick run-down of various security practices which, when not followed, can leave doors open for malicious actors attempting to gain access to internal networks, not only for the MoD but any organization or personal user.

The attack which was launched against the MoD was a DDoS attack. DDoS stands for Distributed Denial of Service and is launched by what is referred to as a bot network or “botnet.” A botnet consists of a group of compromised systems which have been infected by a malware implant, or “bot.” The implant will beacon back to a central controller and receive further commands by the person running the botnet or a “Bot Herder.” In the case of a DDOS attack, every bot will send large amounts of network traffic in the direction of one particular server. A web server will often have limits as to how many simultaneous conversations it can have with another system. Therefore, when tens of thousands of infected systems begin a conversation with the same server, the flood of traffic will block legitimate users from being able to communicate with the web server. If continued, this can overload the server and potentially crash it. It’s like trying to shake hands with 100 people at once. A high level approach to preventing DDOS attacks would be to utilize redundant systems which could absorb some of the connection load in the case of an attack or heavy traffic, while still keeping the web site available to legitimate users.

Internal security is tricky, however when it comes to an organization such as the MoD, whose external network protection is most likely stronger than their internal network protection, the key is physical security. Physical security is not just guarding the entrances to the building but making sure that employees are following operational security practices every day. This includes things like:

Not keeping passwords written on post-it notes on desks or monitors

Locking the computer when the current user steps away

Logging off at the end of the day

Following the organizations internet policy

Not revealing any login credentials to anyone. If it is absolutely necessary to share login information, ensure that it is sent via encrypted channels or if face-to-face with the recipient, in a location where other people will not overhear.

The other aspect of physical security would be dealing with the actual hardware, while most organizations and government agencies do have building and office policies on security, it can be easy for an employee who didn’t read the policies to introduce something dangerous onto the companies network. For example, in 2008, the United States Department of Defense internal network was infected with a worm known as “Agent.BTZ.” This worm was introduced into the network by a service member who plugged an infected USB drive into one of the DoD computers which instantly infected the system. The Worm had the capability to provide backdoor access to systems located on the internal network to remote attackers. It also had the capability to steal documents and upload them to a remote server. This lead to the DoD banning all personal re-writable storage media. While it may seem like a harsh policy, sensitive organizations such as the DoD or the MoD require it for the continued protection of sensitive information.

These security practices are not only useful for organizations and businesses but also the average user at home:

If you are at home and you have guests over, regardless of whether you trust them or not, be sure to lock your system or shut it down.

If using a laptop in public places, be sure to lock the system and secure the actual laptop in a bag or backpack on you; do not leave it out in the open or on the passenger’s seat of your vehicle while you are not in it.

An extra security measure for laptops is to also encrypt portions of your hard drive using encryption software like TrueCrypt.

Whenever you decide to plug in removable storage media, like a USB drive, owned and used by someone other than yourself, be sure to disable the auto-run feature on your system. This will prevent malware on the media from executing automatically. Then scan the drive with an Anti-Malware/Anti-virus application to ensure that it’s clean.

Remember, you could have the world’s best firewall installed but the use of malware infected media and a lack of physical security education and prudence can bypass all other security measures.

July 17, 2018 - The last quarter is likely the last hurrah of the campaigns and attacks we've been seeing over the last 6 months. What comes next may completely change the game. Check out our latest Cybercrime Tactics & Techniques report to find out more about what you may encounter next quarter.

October 18, 2017 - Since September 19, the number two most frequently blocked website for our customers has been coinhive.com. This post will describe what CoinHive is, what it is doing, and why we are blocking it.

July 6, 2017 - The second quarter of 2017 left the security world wondering, “What the hell happened?” With leaks of government-created exploits being deployed against users in the wild, a continued sea of ransomware constantly threatening our ability to work online, and the lines between malware and potentially unwanted programs continuing to blur, every new incident was a wakeup call.In this report, we are going to discuss some of the most important trends, tactics, and attacks of Q2 2017, including an update on ransomware, what is going on with all these exploits, and a special look at all the breaches that happened this quarter.

June 7, 2017 - By now, you might have heard about an adware infection operation that has allegedly spread to 250 million systems called Fireball. The threat intelligence and research teams at Check Point wrote a blog post last week describing the operation, what the threat does the system and the alarming potential the malware has for doing some serious damage. We delve into the worst case scenario with this situation and how to remove Fireball if you are infected.

November 10, 2016 - Over the course of just a few years, this threat has evolved from an annoying pop-up to a screen freezer that utilizes disturbing imagery to a sophisticated malicious program that encrypts important files.